Re: Security Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 14, 2005 at 09:25:43AM -0800, Scott Becker wrote:
> Does anybody know which mailing list addresses security issues?

fedora-list is best for this in general. But there is a "-devel" issue
here.....

> Logwatch on my server reported this:
> apache logged in from dsl-82-199-133-138.dutchdsl.nl (82.199.133.138) using 
> password: 1 Time(s)
> My apache account is active so I can su to it to administer postgresql 
> databases accessable via php scripts. No password is set. It was my 
> understanding that it would be impossible to log in except via su from 
> root. Either I'm dead wrong or there's a security hole which needs fixed.

I think the problem here is that you're dead wrong. If no password is set
and the account isn't locked, anyone can log in. Make sure the account is
locked.

For this reason, I apply the following patch to authconfig, to make the
default configuration disallow logins with null passwords. I think it'd be a
good idea to make this be the default, in fact. People who really want empty
passwords should have to do this to themselves.

--- ../authconfig-4.1.6.orig/authinfo.c Wed Aug 29 14:26:40 2001
+++ ./authinfo.c        Wed Aug 29 14:29:46 2001
@@ -2061,9 +2061,7 @@
 static const char *argv_unix_auth[] = {
        "likeauth",
-       "nullok",
        NULL,
 };
 static const char *argv_unix_password[] = {
-       "nullok",
        "use_authtok",
        NULL,


-- 
Matthew Miller            mattdm@xxxxxxxxxx        <http://www.mattdm.org/>
-->  Fedora Users & Developers Conference, hosted by Boston University  <--
February 18th, 2005                       <http://fedoraproject.org/fudcon/>  


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux